Take it from me: sitting on the sideline is no way to make it to the top. Even if ‘the top’ isn’t your destination, to experience career success in some form requires active assessment and thoughtful...

Smartphones are picking up popularity. You can now access email, social media, and other things from a device that fits in your pocket (most of the time). And, although we hear about breaches and security...

McAfee Labs provides important information about threats in a variety of ways, from our McAfee Global Threat Intelligence service that feeds into many of our products, to published Threat Reports, our...

Fourteen of the targets were the same as in the 2009 attacks, but nearly all of the U.S.-based targets such as The White House, State Department, FAA and FTC were removed from the target list. The modus operandi of the attacks was identical and unusually destructive for typical botnet attacks: the botnet, based in South Korea, was dynamically updated via new malware binaries, launched a relentless DDoS for slightly over a week, and then destroyed the machines it was deployed on by overwriting with zeroes and then deleting key data files such as source code, documents and then zeroing-out the Master Boot Record (MBR) to render the computers unbootable.

In March 2011, however, the level of sophistication was dramatically ramped up, especially for something as simple as a DDoS attack. In fact, it was analogous to bringing a Lamborghini to a go-cart race. Multiple encryption algorithms, such as AES, RC4, and RSA were used to obfuscate numerous parts of the code and configuration of the attack components to slow down the analysis. Over 40 globally distributed multi-tier Command & Control servers (USA, Taiwan, Saudi Arabia, Russia and India accounted for over half of all of servers) were used to dynamically update the malware and its configurations in a fashion designed to be highly resilient against takedowns. It was also clear from our analysis of the code that multiple individuals who may not have been in close coordination were responsible for developing its various parts.

So what was the goal of these attacks and why was so much effort employed to do something that’s fairly trivial in this day and age – flood a Web site with purposeless traffic to slow it down or bring completely offline? We believe this incident, which we estimate has a 95% chance of being perpetrated by the same actors as July 4th 2009 attacks, has very clear anti-Korean and anti-U.S. political motivations and potentially is even more insidious. The level of encryption and obfuscation at all layers of the malware and its distribution method, as well as the quick follow-on destruction of data and machines, indicate that one of the key objectives was to impede rapid analysis and remediation by the Korean authorities. This may very well have been a test, an armed cyber reconnaissance operation of sorts, perhaps conducted by the North Korean military as the South Korean National Intelligence Agency has asserted, to test the defenses and more importantly the reaction time of the Korean government and civilian networks to a well-organized and highly obfuscated attack. Knowing that would be invaluable in a possible future armed confrontation on the peninsula, since cyberspace has already become the fifth battlespace dimension, in addition to land, air, sea, and space.

• The target Web sites and methodology of the DDoS attacks
• The different cryptographic algorithms in place and how they have been used to deter analysis
• Interesting mistakes made by the actors involved
• Attribution theory and analysis of intent

As with most initiatives at McAfee, this was a team effort bringing together researchers from McAfee Labs with other departments at McAfee, our partners, and our customers. I would like to give a special thanks to the US-CERT, Department of Defense analysts, and AhnLabs, as well as our own – Dmitri Alperovitch, Brian Contos, Sven Krasser – and countless others for their tireless effort, support, and fighting the good fight every day.